diff --git a/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch b/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch new file mode 100644 index 00000000..60a6c54d --- /dev/null +++ b/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch @@ -0,0 +1,51 @@ +diff -up vim82/src/errors.h.cve1420 vim82/src/errors.h +--- vim82/src/errors.h.cve1420 2022-04-25 16:01:03.559985019 +0200 ++++ vim82/src/errors.h 2022-04-25 16:01:58.113332024 +0200 +@@ -383,3 +383,7 @@ EXTERN char e_cannot_use_default_values_ + INIT(= N_("E1172: Cannot use default values in a lambda")); + EXTERN char e_resulting_text_too_long[] + INIT(= N_("E1240: Resulting text too long")); ++#ifdef FEAT_EVAL ++EXTERN char e_string_or_function_required_for_arrow_parens_expr[] ++ INIT(= N_("E1275: String or function required for ->(expr)")); ++#endif +diff -up vim82/src/eval.c.cve1420 vim82/src/eval.c +--- vim82/src/eval.c.cve1420 2022-04-25 16:01:03.560985007 +0200 ++++ vim82/src/eval.c 2022-04-25 16:14:11.746600369 +0200 +@@ -3718,13 +3718,20 @@ eval_lambda( + if (**arg != ')') + { + emsg(_(e_missing_close)); +- ret = FAIL; ++ return FAIL; ++ } ++ if (rettv->v_type != VAR_STRING && rettv->v_type != VAR_FUNC ++ && rettv->v_type != VAR_PARTIAL) ++ { ++ emsg(_(e_string_or_function_required_for_arrow_parens_expr)); ++ return FAIL; + } + ++*arg; + } + if (ret != OK) + return FAIL; +- else if (**arg != '(') ++ ++ if (**arg != '(') + { + if (verbose) + { +diff -up vim82/src/testdir/test_lambda.vim.cve1420 vim82/src/testdir/test_lambda.vim +--- vim82/src/testdir/test_lambda.vim.cve1420 2022-04-25 16:01:03.560985007 +0200 ++++ vim82/src/testdir/test_lambda.vim 2022-04-25 16:17:01.694886566 +0200 +@@ -64,6 +64,10 @@ function Test_lambda_fails() + call assert_fails('echo {a, a -> a + a}(1, 2)', 'E853:') + call assert_fails('echo {a, b -> a + b)}(1, 2)', 'E451:') + echo assert_fails('echo 10->{a -> a + 2}', 'E107:') ++ call assert_fails('eval 0->(3)()', "E1275:") ++ call assert_fails('eval 0->([3])()', "E1275:") ++ call assert_fails('eval 0->({"a": 3})()', "E1275:") ++ call assert_fails('eval 0->(xxx)()', "E121:") + endfunc + + func Test_not_lamda() diff --git a/vim.spec b/vim.spec index 00dbd32c..84012f6e 100644 --- a/vim.spec +++ b/vim.spec @@ -122,6 +122,8 @@ Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch # CVE-2022-1154 vim: use after free in utf_ptr2char Patch3046: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch +# CVE-2022-1420 vim: Out-of-range Pointer Offset +Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -355,6 +357,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3044 -p1 -b .cve0554 %patch3045 -p1 -b .cve0943 %patch3046 -p1 -b .cve1154 +%patch3047 -p1 -b .cve1420 %build cd src @@ -914,6 +917,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %changelog * Mon Apr 25 2022 Zdenek Dohnal - 2:8.2.2637-17 - CVE-2022-1154 vim: use after free in utf_ptr2char +- CVE-2022-1420 vim: Out-of-range Pointer Offset * Mon Mar 28 2022 Zdenek Dohnal - 2:8.2.2637-16 - CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior